This answer evolved over time as there were two issues eventually listed - the first related to "Fail to decrypt the encrypted credential information - not well-formed (invalid token)", and the second related to the following message: "APIError: 'status=403, error_code=12, error_msg=This request contains an invalid token". The second issue was resolved by the latest TA release... From following the answer thread, the first issue was resolved from the post on August 25 @ 8:07 am, which states: "I was able to resolve the curl issue, but only after removing passwords.conf and replacing the password in tenable_sc_server.conf and then restarting Splunk a few times." I would recommend re-configuring the TA, ensuring the passwords.conf and tenable_sc_server.conf files are correct. Also, make sure Splunk is restarted - just in case. Hope that helps... ... View more

@worshamn - I received the same answer with support... Same issue, same version of Security Center. ... View more

Are you sure there are tabs preceding the "employeeType" value? Here's a few suggestions to try: employeeType\n\t+(?\w+) If there are tabs prior to the employeeType value, this should account for 1 or more tabs in the regex employeeType\n\s+(?\w+) If these are actually spaces, this should work employeeType\s+(?\w+) In my quick testing on https://regex101.com, I observed the regex did not need the newline token (\n) - so you could try your regex without it Hope this helps, Jamie ... View more

Currently, if you install the UF with the MSI installer - it will install Splunk_TA_windows on your forwarder by default. The workaround for this (not installing TA_windows with the UF install) is to use the command line install option and perform a silent install of the forwarder. You could also try to "customize" the install (with MSI installer) and not accept the defaults - if you do not select any input options, it is possible that TA_windows will not get installed, but I'm not 100% sure on this one. Feel free to test this one out. ... View more

I did not find any documentation stating that this is a bug, but I will follow up with others just to make sure. ... View more

Upgrading from 5.0.X to 6.4.X is not officially supported, I believe you will need to upgrade in a step-process. See the following link for more info, scroll down on the page to the "Upgrade from..." sections: http://docs.splunk.com/Documentation/Splunk/6.4.0/Installation/HowtoupgradeSplunk ... View more

This request must be submitted and your app will be vetted by the Cloud Ops team - they will make the final decision. ... View more

You likely won't get a copy of the authorize.conf from the Cloud team, but you were able to compare the list I provided in the UI. I don't believe any of these settings you provided would impact the ability to see internal indexes. At this point, I would suggest setting up inheritance from either the "user" role or "power" role, or possibly both - which is similar to the way the admin role is setup. ... View more

First, make sure your Cisco data is getting to your indexers... Go to the search screen and run "index=. If this does not return results, check your inputs.conf where this TA was installed on your forwarder. Second (if you are getting Cisco data to your indexer(s), go to Settings -> Access Controls -> Roles and then select the role assigned to the user you have having this issue with. Under the "Indexes searched by default" and "Indexes" sections at the bottom of this screen, either add the Cisco specific indexes to the "selected" columns or just add "All non-internal indexes" to both columns. The app performs searches on the sourcetypes from the TA's and needs access to the indexes by default, so if the app doesn't have default search access to the indexes, there will be no results found/returned for the dashboards. Hope this helps... ... View more

Are you running a trial license or a full Splunk license on this Splunk instance? I've seen similar issues when using a trial license (some functionality is disabled on a trial license). You can check by going to Settings -> Licensing. ... View more

Hi jameswortman, could you tell me a little more about your environment? I have not seen this specific error before related to this app, but hopefully we can figure it out... Version of Splunk you're running? Version of Linux? Version of the Website Monitoring app? What is the user/group that "owns" the directories and files in your Splunk installation? Does the Website Monitoring app match that ownership and permissions? What user are you using to create the input? If not admin, what role has been assigned to that user? What permissions (from the Manage Apps UI screen) does the Website Monitoring app have? It should be Global, everyone read, admin write. ... View more

Excellent! Thanks for the follow-up on this! I've previously seen this app work correctly in a Windows 2012R2 environment, but never in a Windows 2008R2. I'm not saying it is definitely an issue with 2008R2, but it's a possibility. ... View more

You're correct that you don't typically have access to the authorize.conf within Splunk Cloud, and I forgot about that as I sent my previous post - sorry about that. The one I have access to is a unique situation, so typically no access is available. You can compare what I sent you against your custom role within the UI: Settings -> Access Controls -> Note: The srchIndexesAllowed and srchIndexesDefault in the listing above relates to the indexes sections at the bottom of that screen, in which mine has access to All Internal Indexes and All Non-Internal Indexes for both. ... View more

Ok, that sounds like a plan... But a couple more things, just in case... (Just confirming at this point) Are you attempting to configure the website monitoring input as admin or a different user/role? Go to Settings -> Access Controls -> Roles -> (Specific Role of User performing the website monitoring action). Under Capabilities, make sure the following are selected (if they are not, then select them): edit_modinput_web_ping list_inputs ... View more

Ok, thanks for your prompt response on that... So, I tested your scenario out in a Splunk Cloud instance - creating a custom admin role, assigning no inheritance, assigning specific capabilities (1-for-1 match of default admin role capabilities), and selecting "All internal indexes" under "Indexes searched by default" and "Indexes" sections. Then, I created a new user and assigned that user the custom_admin role. After saving it, I was able to login as the user assigned to the custom_admin role and successfully receive results from a search of "index=_*". I'm posting my authorize.conf below (kinda lengthy) - compare this list to your authorize.conf, add any capabilities missing from your custom admin role to your role. You should be able to find yours under $SPLUNK_DB/etc/system/local/authorize.conf. Also, if this doesn't work for you, you may want to at least setup inheritance from the "user" or "power" role. [role_custom_admin] accelerate_datamodel = enabled accelerate_search = enabled admin_all_objects = enabled can_own_notable_events = enabled change_authentication = enabled create_external_ticket = enabled cumulativeRTSrchJobsQuota = 400 cumulativeSrchJobsQuota = 200 edit_correlationsearches = enabled edit_deployment_client = enabled edit_deployment_server = enabled edit_dist_peer = enabled edit_forwarders = enabled edit_httpauths = enabled edit_input_defaults = enabled edit_log_review_settings = enabled edit_modinput_threatlist = enabled edit_modinput_web_ping = enabled edit_monitor = enabled edit_notable_events = enabled edit_per_panel_filters = enabled edit_postprocess = enabled edit_reviewstatuses = enabled edit_roles = enabled edit_scripted = enabled edit_search_head_clustering = enabled edit_search_scheduler = enabled edit_search_server = enabled edit_server = enabled edit_sourcetypes = enabled edit_splunktcp = enabled edit_splunktcp_ssl = enabled edit_suppressions = enabled edit_tcp = enabled edit_token_http = enabled edit_udp = enabled edit_user = enabled edit_view_html = enabled edit_web_settings = enabled embed_report = enabled get_diag = enabled get_metadata = enabled get_typeahead = enabled indexes_edit = enabled input_file = enabled license_edit = enabled license_tab = enabled list_deployment_client = enabled list_deployment_server = enabled list_forwarders = enabled list_httpauths = enabled list_search_head_clustering = enabled list_search_scheduler = enabled output_file = enabled pattern_detect = enabled request_remote_tok = enabled rest_apps_management = disabled rest_apps_view = disabled rest_properties_get = disabled rest_properties_set = disabled restart_splunkd = enabled rtSrchJobsQuota = 100 rtsearch = enabled run_debug_commands = enabled schedule_search = enabled search = enabled srchDiskQuota = 25000 srchIndexesAllowed = ;_ srchIndexesDefault = ;_ srchJobsQuota = 50 srchMaxTime = 0 srchTimeWin = 0 web_debug = enabled ... View more

Are you receiving "No results found" after the search, or nothing at all? Can that user search any data/index at all? ... View more

So, currently a user under the custom admin role is unable to see the graphs in the DMC - but if they execute a search of "index=_*", do they see results? ... View more

It sounds like there is some difference(s) between the out of the box admin role and the custom admin role. Here's my suggestions to review/change and these are all under Settings->Access Controls->(Custom Admin Role): 1) Under -> Indexes Searched by Default - Make sure "All Internal Indexes" is selected 2) Under -> Indexes - Make sure "All Internal Indexes" is selected If these do not resolve your issue, check the list of capabilities between the original admin role and your custom admin role - if any capabilities are missing when comparing against the original admin role, add those missing capabilities to the custom admin role. ... View more

Did you install the app from the UI or the CLI? If you installed through the UI, your account should have been under the admin role and that should have installed fine, with no issues. If you installed via the CLI, make sure the "website_monitoring" directory is owned by the correct user and has the correct permissions (mirroring the rest of the Splunk install on that server). If the ownership and/or permissions do not match the rest of the Splunk install, make those changes to the entire directory for website_monitoring. Another recommendation would be to make sure your Splunk instance is running on a recent release/version - such as 6.3.X Hope this helps... ... View more

I'm not familiar with the TA naming convention I see in your logs -> avn_its_TA_microsoft_hyperv. I downloaded the most recent version of the Splunk Add-on for Microsoft Hyper-V and extracted the tarball and observed the naming convention of the TA is: Splunk_TA_Microsoft-hyperv. So I would suggest going to splunkbase and downloading the most recent version available, which would be version 2.0.1, and deploying this version in your environment. Also, note that you can deploy the add-on from the Cluster Master by running: splunk apply cluster-bundle --skip-validation This will skip the validation on the Cluster Master and deploy to the indexers. Hope this helps... ... View more

I've used it most recently on 6.3.3 with no issues. However, it also states on Splunkbase that this app is "Community Supported". ... View more

Thanks for checking that out... I'd say it's a permissions issue somewhere... When the lookup table(s) were initially uploaded, were they given global permissions and the ability for users in this role to read and/or write to those lookup table(s)? What about the Permissions of Lookup File Editor App? Go to Manage Apps and check permissions set for the app itself. Finally, this could be a permissions issue within the file system where Splunk is installed... You may want to check out your file system and ensure the system level user that starts Splunk has write access to the directory/file(s) in which you're trying to access the lookup table(s). ... View more